我正在使用 Terraform 创建 S3 的 AWS Code Deploy IAM 策略,但收到错误 MalformedPolicyDocument:已禁止字段资源。
main.tf 文件:
这是 AutoScalePolicy.json:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:ListStorageLensConfigurations",
"s3:ListAccessPointsForObjectLambda",
"s3:GetAccessPoint",
"s3:PutAccountPublicAccessBlock",
"s3:GetAccountPublicAccessBlock",
"s3:ListAllMyBuckets",
"s3:ListAccessPoints",
"s3:PutAccessPointPublicAccessBlock",
"s3:ListJobs",
"s3:PutStorageLensConfiguration",
"s3:ListMultiRegionAccessPoints",
"s3:CreateJob"
],
"Resource": "*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::s3-demo",
"arn:aws:s3:::s3-demo/*"
]
}
]
}
尝试更改 IAM 策略和 S3 存储桶名称,但问题仍然存在。已解决这些问题:
AutoScalePolicy.json
是一项策略,而不是一个 Should_role_policy。你应该使用这样的东西:
resource "aws_iam_role" "test_role" {
...
assume_role_policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Action = "sts:AssumeRole"
Effect = "Allow"
Sid = ""
Principal = {
Service = "codedeploy.amazonaws.com"
}
},
]
})
inline_policy {
name = "role_policy"
policy = file("${path.module}/AutoScalePolicy.json")
}
...
}
资源文档提到了策略和承担角色策略之间的区别。
在
assume_role_policy
中,您指定信任策略。它没有定义角色可以做什么,而是定义了谁可以承担它。
它应该看起来像这样:
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Principal": {"Service": "codedeploy.amazonaws.com"},
"Action": "sts:AssumeRole"
}
}
这只是告诉 CodeDeploy 可以承担这个角色。